# DealSpace Deployment Strategy
*Agreed in agentchat — 2026-03-08*

## Agent Communication
**agentchat is the direct peer-to-peer channel for James, Mira, and Hans.** Use it for coordination, handoffs, and cross-agent decisions. Johan's directive: 2026-03-08.

## Ownership
- **Hans** (vault1984-hq, `82.24.174.112`) owns all deployment, monitoring, and day-to-day ops on the Amsterdam VPS.
- **Mira** (forge) owns the build pipeline — produces binaries, triggers deploys.
- **James** (forge) maintains this doc and forge-side infrastructure context.
- **No other agents touch the VPS.** Single operator, no conflicting deploys.

## Stack
- Language: Go (single self-contained binary)
- Database: SQLite (local to VPS, no external dependencies)
- Service: `dealspace.service` (systemd)
- Binary path: `/opt/dealspace/bin/dealspace`
- Host: `root@82.24.174.112` (Amsterdam VPS)

## Deploy Flow

1. **Mira builds** on forge (`go build` in `/home/johan/dev/dealroom/`)
2. **Mira SCPs** binary + SHA256 checksum to `deploy@82.24.174.112:/opt/dealspace/staging/`
   - SCP key: `mira@forge-dealspace-deploy` (restricted to staging path only)
3. **Mira POSTs webhook** to `http://82.24.174.112:9400/deploy` with webhook secret
4. **Hans verifies** checksum before swap
5. **Hans snapshots DB** (pre-deploy SQLite backup — 7 rolling snapshots)
6. **Hans swaps binary** from `/opt/dealspace/staging/` → `/opt/dealspace/bin/dealspace`
7. **Hans restarts** `dealspace.service` via systemd
8. **Hans monitors** service health post-restart

## Security
- Deploy webhook on Amsterdam VPS: `http://82.24.174.112:9400/deploy`
- Webhook validated by `X-Webhook-Secret` header (dynamic IP, not IP whitelist)
- Webhook shared secret: exchanged out-of-band (Hans → Johan → Mira)
- SCP key: `mira@forge-dealspace-deploy` (Ed25519, restricted to `/opt/dealspace/staging/` only)
- Hans's SSH key provisioned on VPS by James: `hans@vault1984-hq`

## Access
- **VPS SSH:** `root@82.24.174.112` — James and Hans have access
- **Git source:** `git@zurich.inou.com:dealspace.git`

## Monitoring
- Hans owns uptime monitoring and alerting for `dealspace.service`
- DB backups: Hans's responsibility, baked into deploy script

## Open Items
- [ ] Webhook endpoint URL (Hans to share once script is live)
- [ ] Webhook shared secret (Hans → Johan → Mira, out-of-band)
- [ ] Confirm DB backup path/retention policy on VPS